1 <!-- EUG Chapter Statistics -->
4 <chapter id="ChStatistics">
5 <title>Statistics</title>
6 <section id="ChStatIntroduction">
7 <title>Introduction</title>
9 Ethereal provides a wide range of network statistics.
12 These statistics range
13 from general information about the loaded capture file (like the number of
14 captured packets), to statistics about specific protocols
15 (e.g. statistics about the number of HTTP requests and responses captured).
23 <para><command>Summary</command> about the capture file.</para>
26 <para><command>Protocol Hierarchy</command> of the captured packets.</para>
29 <para><command>Endpoints</command> e.g. traffic to and from an IP
33 <para><command>Conversations</command> e.g. traffic between specific IP
37 <para><command>IO Graphs</command> visualizing the number of packets (or
38 similar) in time.</para>
44 Protocol specific statistics:
48 <para><command>Service Response Time</command> between request and response
49 of some protocols.</para>
52 <para><command>Various other</command> protocol specific statistics.</para>
57 <tip><title>Tip!</title>
59 The protocol specific statistics requires detailed knowledge about the
60 specific protocol. Unless you are familiar with that protocol, statistics
61 about it will be pretty hard to understand.
67 <section id="ChStatSummary">
68 <title>The "Summary" window</title>
70 General statistics about the current capture file.
72 <figure><title>The "Summary" window</title>
73 <graphic entityref="EtherealStatsSummary" format="PNG"/>
77 <para><command>File</command> general information about the capture file.
81 <para><command>Time</command> the timestamps when the first and the
82 last packet were capturing (and the time between them).</para>
85 <para><command>Capture</command> information from the time when the
86 capture was done (only available if the packet data was captured from the
87 network and not loaded from a file).</para>
90 <para><command>Display</command> some display related information.</para>
94 <command>Traffic</command> some statistics of the network traffic seen.
95 If a display filter is set, you will see values in both columns. The
96 values in the <command>Captured</command> column will remain the same as
97 before, while the values in the <command>Displayed</command> column will
98 reflect the values corresponding to the packets shown in the display.
104 <section id="ChStatHierarchy">
105 <title>The "Protocol Hierarchy" window</title>
107 The protocol hierarchy of the captured packets.
108 <figure><title>The "Protocol Hierarchy" window</title>
109 <graphic entityref="EtherealStatsHierarchy" format="PNG"/>
111 This is a tree of all the protocols in the capture. You can collapse or
112 expand subtrees, by clicking on the plus / minus icons. By default, all
116 Each row contains the statistical values of one protocol.
119 The following columns containing the statistical values are available:
122 <para><command>Protocol</command> this protocol's name</para>
125 <para><command>% Packets</command> the percentage of protocol packets,
126 relative to all packets in the capture</para>
129 <para><command>Packets</command> the absolute number of packets of this
133 <para><command>Bytes</command> the absolute number of bytes of this
137 <para><command>MBit/s</command> the bandwidth of this protocol, relative
138 to the capture time</para>
142 <command>End Packets</command> the absolute number of packets of this
143 protocol (where this protocol were the highest protocol to decode)
148 <command>End Bytes</command> the absolute number of bytes of this protocol
149 (where this protocol were the highest protocol to decode)
154 <command>End MBit/s</command> the bandwidth of this protocol, relative to
155 the capture time (where this protocol were the highest protocol to decode)
160 <note><title>Note!</title>
162 Packets will usually contain multiple protocols, so more than one protocol
163 will be counted for each packet.
164 Example: In the screenshot IP has 99,17% and TCP 85,83% (which is together
165 much more than 100%).
170 <section id="ChStatEndpoints">
171 <title>Endpoints</title>
173 Statistics of the endpoints captured.
174 <tip><title>Tip!</title>
176 If you are looking for a feature other network tools call a <command>
177 hostlist</command>, here is the right place to look. The list of
178 Ethernet or IP endpoints is usually what you're looking for.
182 <section id="ChStatEndpointDefinition"><title>What is an Endpoint?</title>
184 A network endpoint is the logical endpoint of separate protocol traffic of
185 a specific protocol layer. The endpoint statistics of Ethereal will take
186 the following endpoints into account:
191 <command>Ethernet</command> an Ethernet endpoint is identical to the
192 Ethernet's MAC address.
197 <command>Fibre Channel</command> XXX - insert info here.
202 <command>FDDI</command> a FDDI endpoint is identical to the FDDI MAC
208 <command>IPv4</command> an IP endpoint is identical to its IP address.
213 <command>IPX</command> XXX - insert info here.
218 <command>TCP</command> a TCP endpoint is a combination of the IP address
219 and the TCP port used, so different TCP ports on the same IP address are
220 different TCP endpoints.
225 <command>Token Ring</command> a Token Ring endpoint is identical to the
226 Token Ring MAC address.
231 <command>UDP</command> a UDP endpoint is a combination of the IP address
232 and the UDP port used, so different UDP ports on the same IP address are
233 different UDP endpoints.
237 <note><title>Broadcast / multicast endpoints</title>
239 Broadcast / multicast traffic will be shown separately as additional
240 endpoints. Of course, as these endpoints are virtual endpoints, the real
241 traffic will be received by all (multicast: some) of the listed unicast
246 <section id="ChStatEndpointsWindow">
247 <title>The "Endpoints" window</title>
249 This window shows statistics about the endpoints captured.
251 <figure><title>The "Endpoints" window</title>
252 <graphic entityref="EtherealStatsEndpoints" format="PNG"/>
255 For each supported protocol, a tab is shown in this window.
256 The tab labels shows the number of endpoints captured (e.g. the
257 tab label "Ethernet: 5" tells you that five ethernet endpoints have been
258 captured). If no endpoints of a specific protocol were captured, the tab
260 grayed out (although the related page can still be selected).
263 Each row in the list shows the statistical values for exactly one endpoint.
266 <command>Name resolution</command> will be done if selected in the window
267 and if it is active for the specific protocol layer (MAC layer for the
268 selected Ethernet endpoints page). As you might have noticed, the first
270 resolution of the first three bytes "Netgear", the second row's address was
271 resolved to an IP address (using ARP) and the third was resolved
272 to a broadcast (unresolved this would still be: ff:ff:ff:ff:ff:ff), the last two
273 Ethernet addresses remain unresolved.
275 <tip><title>Tip!</title>
277 This window will be updated frequently, so it will be useful, even if
278 you open it before (or while) you are doing a live capture.
282 <section id="ChStatEndpointListWindow">
283 <title>The protocol specific "Endpoint List" windows</title>
285 Before the combined window described above was available, each of its
286 pages were shown as separate windows. Even though the combined window is
287 much more convenient to use, these separate windows are still
288 available. The main reason is, they might process faster for
289 very large capture files. However, as the functionality is exactly the
290 same as in the combined window, they won't be discussed in detail here.
295 <section id="ChStatConversations">
296 <title>Conversations</title>
298 Statistics of the captured conversations.
300 <section><title>What is a Conversation?</title>
302 A network conversation is the traffic between two specific endpoints. For
303 example, an IP conversation is all the traffic between two IP addresses.
304 The description of the known endpoint types can be found in
305 <xref linkend="ChStatEndpointDefinition"/>.
308 <section id="ChStatConversationsWindow"><title>The "Conversations" window</title>
310 Beside the list content, the conversations window work the same way as the
311 endpoint ones, see <xref linkend="ChStatEndpointsWindow"/> for a
312 description how it works.
313 <figure><title>The "Conversations" window</title>
314 <graphic entityref="EtherealStatsConversations" format="PNG"/>
318 <section id="ChStatConversationListWindow">
319 <title>The protocol specific "Conversation List" windows</title>
321 Before the combined window described above was available, each of its
322 pages were shown as separate windows. Even though the combined window is
323 much more convenient to use, these separate windows are still
324 available. The main reason is, they might process faster for
325 very large capture files. However, as the functionality is exactly the
326 same as in the combined window, they won't be discussed in detail here.
331 <section id="ChStatIOGraphs">
332 <title>The "IO Graphs" window</title>
334 User configurable graph of the captured network packets.
337 You can define up to five differently colored graphs.
340 <figure><title>The "IO Graphs" window</title>
341 <graphic entityref="EtherealStatsIOGraphs" format="PNG"/>
345 The user can configure the following things:
348 <para><command>Graphs</command>
352 <command>Graph 1-5</command> enable the graph 1-5 (only graph 1 is enabled
358 <command>Color</command> the color of the graph (cannot be changed)
363 <command>Filter:</command> a display filter for this graph (only the
364 packets that pass this filter will be taken into account for that graph)
369 <command>Style:</command> the style of the graph (Line/Impulse/FBar)
377 <para><command>X Axis</command>
381 <command>Tick interval</command> an interval in x direction lasts
382 (10/1/0.1/0.01/0.001 seconds)
387 <command>Pixels per tick</command> use 10/5/2/1 pixels per tick interval
395 <para><command>Y Axis</command>
399 <command>Unit</command> the unit for the y direction (Packets/Tick,
400 Bytes/Tick, Advanced...)
405 <command>Scale</command> the scale for the y unit
406 (10,20,50,100,200,500,...)
414 XXX - describe the Advanced feature.
418 <section id="ChStatSRT">
419 <title>Service Response Time</title>
421 The service response time is the time between a request and the
422 corresponding response. This information is available for many protocols.
425 Service response time statistics are currently available for the following
429 <para><command>DCE-RPC</command></para>
432 <para><command>Fibre Channel</command></para>
435 <para><command>ITU-T H.225 RAS</command></para>
438 <para><command>LDAP</command></para>
441 <para><command>MGCP</command></para>
444 <para><command>ONC-RPC</command></para>
447 <para><command>SMB</command></para>
450 As an example, the DCE-RPC service response time is described in more
452 <note><title>Note!</title>
454 The other Service Response Time windows will work the same way (or only
455 sligthly different) compared to the following description.
459 <section id="ChStatSRTDceRpc">
460 <title>The "Service Response Time DCE-RPC" window</title>
462 The service response time of DCE-RPC is the time between the request and
463 the corresponding response.
466 First of all, you have to select the DCE-RPC interface:
468 <figure><title>The "Compute DCE-RPC statistics" window</title>
469 <graphic entityref="EtherealStatsSrtDcerpcFilter" format="PNG"/>
472 You can optionally set a display filter, to reduce the amount of packets.
474 <figure><title>The "DCE-RPC Statistic for ..." window</title>
475 <graphic entityref="EtherealStatsSrtDcerpc" format="PNG"/>
478 Each row corresponds to a method of the interface selected (so the EPM
479 interface in version 3 has 7 methods). For each
480 method the number of calls, and the statistics of the SRT time is
486 <section id="ChStatXXX">
487 <title>The protocol specific statistics windows</title>
489 The protocol specific statistics windows display detailed information
490 of specific protocols and might be described in a later
491 version of this document.
496 <!-- End of EUG Chapter Statistics -->
git.samba.org / obnox / wireshark / wip.git / blob